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(57) Abstract 

A user inputting his access code into a computing environment to access a transaction Is at risk of losing the access code to an 
attacker who has physical or electronic access to the computing environment To minimize this risk, the access code can be entered via a 
plurality of user-selectable fields, each of which takes on a scries of values in the initial display (330). The initially displayed values are 
established in a random or otherwise unpredictable manner using a pseudo-random number generator (310). The user then uses a mouse, 
keyboard, or other input device (340) to increment each of the selectable fields until the access code is correctly entered. Because of the 
randomization of the initial state, an attacker tracking the locations or number of mouse clicks or other navigation actions, can not determine 
the finally entered access code by, e.g., computing the offset from a known inital state. 



I: <WO n<V«fl07RAi i > 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Annenia 


FI 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


L^via 


SZ 


Swaziland 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TD 


Chad 


BA 


Bosnia and Heneegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BR 


Belgium 


GN 


Guinea 


MK 


The fomiicr Yugoslav 


TM 


'Hirkmenistan 


BF 


Burkina Paso 


GR 


Greece 




Republic of Macedonia 


TO 


Turkey 


BG 


Bulgaria 


m 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


VG 


Uganda 


BY 


Belanis 


IS 


Iceland 


MW 


Malawi 


US 


United States of Amerk:a 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


uz 


Uzbekistan 


CF 


Central African R^ublic 


JP 


Japan 


NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


ZW 


Zimbabwe 


CI 


C6tc d'lvoirc 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KK 


Republic of Korea 


PT 


Portugal 






cu 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






cz 


Czech Republic 


LC 


Saint Lucia 


RV 


Russian Federation 






DE 


Gemiany 


LI 


Liechtenstein 


SD 


Sudan 






DK 


Denmark 


LK 


Sri Lanka 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Stngapoie 







wo 00/48076 



PCT/USOO/03692 



METHOD AND APPARATUS FOR SECURE ENTRY OF ACCESS CODES IN A 

COMPUTER ENVIRONMENT 

Background of the Invention 

5 In a computer environment, access to a transaction (e.g., obtaining secret data kept on 

a computer, ordering a good or service via the computer, or accessing funds at an automatic 
teller machine (ATM) or point of sale (POS)) is usually protected by a personal identilication 
number (PIN), a password, or other access code. When the user wishes to conduct the 
transaction, he types in his access code, and is allowed access (e.g., via an access control 

10 module) if the entered value correctly matches a stored value. A typical piece of data that is 
protected in such way is a user's private key, which can constitute a user's identity over the 
Internet or some other system that uses public key cryptography for user identification. If the 
attacker can get access tp this private key, he can impersonate the user, read information 
intended to be private to the user, and conduct still other electronic transactions in the user's 

15 name. 

An attacker might physically gain access to the user's computer physically, or do so 
electronically by loading a virus onto the user's computer. In either case, the attacker can 
then install a program that collects, and saves to a file, all the keystrokes that the user types 
on his keyboard. This file can be retrieved later, either via physical access to the machine or 
. 20 over a network, allowing the attacker to deduce the access code by examining the user's 
keystrokes. Besides keyboard entry, the access code could also be inputted by selecting, via a 
mouse, digits or letters (more generally, characters) from a predetermined pattern of user- 
selectable fields (e.g., a visual representation of a telephone, typewriter, or calculator keypad) 
displayed on a graphical user interface (GUI). In this scenario, the attacker could obtain 
25 information about the access code by capturing the locations (e.g., x- and y- coordinates) of 
mouse clicks and using them to deduce the characters indicated — since the locations of all 
possible characters on the interface occur in a known and fixed pattern (e.g., on a telephone- 
style keypad: Row 1 = 1 , 2, 3; Row 2 = 4, 5, 6; Row 3 = 7, 8, 9; and Row 4 = 0, #). 

Even where the locations of all the alphanumeric characters are not known, an 
30 attacker could still deduce the access code when an initial state of the chaiacter fields is 
known. For example, consider simulating and displaying an in-line combination lock having 
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an initial state of 0-0-0. The user then uses mouse cHcks to turn the wheels (tumblers, rings, 
etc.) of the lock to input his access code. When the digits of the proper combination are all 
aligned in their proper positions, the lock "opens" (i.e., grants the user access to the desired 
transaction). An attacker knowing the initial state and the history of the mouse clicks could 
5 determine the access code by using the history as an offset from the initial state. 

All of the foregoing shows that there is a need for protecting a user's PIN, password, 
or other access code, from disclosure to an attacker who, directly or indirectly, obtains the 
sequence of characters inputted by a user to gain access to a transaction. 

Detailed Description of the Invention 

10 

To prevent an attacker from using histories of the keyboard arrowing, mouse clicking, 
or other navigation or selection techniques to determine the access code, the present invention 
randomizes (or pseudo-randomizes or otherwise makes unpredictable) the initial state of the 
displayed user-selectable fields. Techniques for implementing randomizing logic or modules 

15 are well known to those skilled in the art and need not be described in detail here. As an 
example of displaying user selectable fields, if the display visually imitates a keypad, its 
numbers can be randomly scrambled after each access code entry (e.g.. Row 1 = 4, 6, #; Row 
2 = 2, 9, 8; Row 3 = *, 1, 3; Row 4 = 0, 5, 7). Thus, an attacker who is unable to deduce the 
initial states of the user-selectable fields can not deduce the access code even if the attacker 

20 knows the history of the subsequent mouse clicks or other screen navigation actions. 
Effectively, the user's input appears to the attacker to be a random series of selections. 

Alternatively, if the display depicts a combination lock, it is not necessary to scramble 
the characters (e.g., numbers) on the wheels, but only to start each wheel in an unpredictable 
position. That is, the numbers around the periphery of each wheel can still be ordered 

25 sequentially, as long as the wheels are initialized randomly. The wheels have the further 
advantage of being able to accommodate an arbitrarily large character set (e.g. all 26 letters 
of the alphabet and all 10 digits, if desired), whereas a scrambled keypad containing a large 
number of letters and digits might be inconvenient to use because of the difficulty in locating 
any desired letter or digit, 

30 In yet another embodiment, shown in Figure 1, a randomly initialized "bingo card" 

could be displayed, with the user entering the PIN by clicking on the correct character in each 
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column of Ihe bingo card. The current PIN could be displayable adjacent to the bingo card 
(Figure 1) or the selected PIN characters could be highlighted on the bingo card, e.g. by 
changing the color or shading of the selected characters. 

In still other embodiments, the user-selectable fields could be simply displayed as a 
5 series of character boxes, much like a crossword puzzle or fill-in-the blank game, with each 
field being initialized to an unpredictable alphanumeric character. For example, for a six-digit 
PIN, the system starts by displaying six random digits. To select his PIN, the user cursors 
through the digits. At each digit, he hits the up or down arrow key (to increment the digit by 
+1 or -1 ) an appropriate number of times until the desired digit appears. 
10 Alternatively, as shown in Figure 2, each particular, initially random PIN digit could 

be adjusted to the correct value by clicking on the corresponding or buttons. 

Alternatively, two rows of digits could be used. One row could display an initially 
random PIN digit sequence. The user would input to an adjacent row an offset digit sequence 
such that the correct PIN digit sequence was formed when the offset digit sequence row was 
15 added to the initially random PIN digit sequence row. The resulting correct PIN digit 
sequence could be displayed adjacent to the other two rows. 

In any of the above embodiments, an attacker might be able to examine what is 
displayed on the screen as the user inputs the access code, either through software or by 
physically looking over the user's shoulder. To defeat this attack, a particular user-selectable 
20 field could be made effectively unreadable by darkening it so that its value is not visible 
except when the mouse or cursor is over that field. Similarly, one or more fields could be 
made unreadable by replacing fields, other than the one being instantaneously inputted, with 
asterisks (e.g., see Fig. 1 or Fig. 2) or other non-informational characters, before or after they 
are selected or entered on the screen. In these ways, the attacker's opportunities to read the 
25 characters of the access code as they are entered on the screen are minimized. 

Figure 3 . shows a schematic of an exemplary apparatus for secure entry of an access 
code for secure access to an electronic service, including a hardware or software based secure 
psuedo-random number generator 310 providing an initially randomized input to processor 
320 for display to a user on display 330. Based on the display, the user provides feedback (in 
30 the form of an entered access code) via input device 340, which is passed back through 
processor 320 to access control program 350. Note that a non-visual "display" 330 is also 
possible, e.g. feedback via audio headphones or other output devices. The feedback to the 
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user, whether by visual display or other means, should be harder for an attacker to intercept 
than the user input. 

A wide variety of techniques (e.g. software or hard-wired instructions running on 
processor 320) can be used for implementing the foregoing user-selectable fields in various 
5 environments (e.g. accepting them via input device 340 and displaying them via display 330) 
including, without limitation, the following: 

(a) In an Internet environment, the user-selectable fields could be implemented (i) 
using Javascript on a web page to send the PIN to a common gateway interface 
(CGI) script or active server page, (ii) using a Java applet on a web page to send 
10 the PIN to a CGI script or active server page, (iii) using a plug-in with a GUI on a 

\yeb page to send the PIN to a CGI script or active server page, (iv) using a 
specialized network application with a GUI to send results by a network 
connection to a server application, or (v) using a specialized network application 
with command line input. 
15 (b) In a stand-alone computing environment, the user-selectable fields could be 

implemented (i) by GUI, (ii) by command line entry using the offsets to an initial 
value method, or (iii) by use of a machine logon method. 

(c) In a network PC environment or a personal digital assistant environment, the user- 
selectable fields could be implemented using the methods just described for an 

20 internet environment or a stand-alone computing environment. 

(d) In an ATM or POS environment, the xiser-selectable fields could be implemented 
directly on processor 320 via an application specific integrated circuit (ASIC), 
programmable logic array (PL A), or microcode and displayed on a touch screen or 
keypad. 

25 , These and many other techniques for implementing and displaying the user-selectable 

fields are well known to those skilled in the art, and need not be described in greater detail 
here. 

Similarly, a wide variety of input devices 340 could be used for inputting the user-selectable 
fields including, without limitation, a keyboard, a mouse, a touch pad, a think screen, or other 
30 pointing devices. Hardwaire and program logic code for implementing and controlling these 
devices are well known to those skilled in the art and need not be described in detail here. 
Finallyj although tlie various embodiments have disclosed alphanumeric characters, the 
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displayed fields are not strictly limited to alphanumeric characters, but could also include 
mathematical symbols or discrete elements of ideographic languages such as Japanese or 
Chinese. It should therefore be understood that references to "alphanumeric" or "character" 
include all these and still other linguistic or symbolic elements with which an access code can 
5 be represented. 

Those skilled in the art will readily appreciate that all the foregoing (and many other) 
techniques known to those skilled in the art for creating and displaying visual fields, for 
inputting the access code, and for the format of the access code, can be used in conjunction 
with the present invention. It is therefore intended that the scope of the invention be not 
10 limited to the particular embodiments disclosed herein, but rather to the full breadth of the 
claims appended hereto. 
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CLAIMS 



What is claimed is: 

1 1 . A method for secure entry of an access code for secure access to an electronic service, 

2 comprising the steps of: 

3 (a) randomizing a plurality of fields selectable by a user to input an access code; 

4 (b) displaying, via a graphical user interface, a plurality of selectable fields; 

5 (c) accepting, from said user, a plurality of selections chosen from among said 

6 fields; 

7 (d) grainting, to said user, access to a service if said accepted plurality of 

8 selections correctly correspond to a predetermined access code. 

1 2. The method of claim 1 where said selectable fields include a plurality of 

2 alphanumeric characters. 

1 3. The method of claim 1 where said user selections are accepted from said user via a 

2 pointing device. 

1 4. The method of claim 3 where said pointing device is a touch screen. 

1 5. The method of claim 3 where said pointing device is a mouse. 

1 6. The method of claim 1 where, said user selections are accepted from said user via a 

2 keyboard. 

1 7. The method of claim 1 where said user selections arc accepted from said user via an 

2 incrementing arrow in said graphical user interface. 

1 8. The method of claim 1 where said step of displaying said selectable fields include 

2 displaying a visual form of a keypad containing said fields for viewing by said user. 
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1 9. The method of claim 1 where said step of displaying said selectable fields includes 

2 displaying a visual form of a plurality of rotatable wheels for viewing by said user. 

1 10. The method of claim 1 where said step of displaying said selectable fields 

2 includes displaying a representation of a bingo card for viewing by said user. 

1 11. The method of claim 1 where said step of displaying said selectable fields includes 

2 displaying at least one of said fields as unreadable except when said one of said fields 

3 is being selected by said user. 

1 12. The method of claim 1 1 where said step of displaying said field as unreadable 

2 includes displaying a darkened field. 



1 13. The method of claim 1 1 where said step of displaying said field as unreadable 

2 includes displaying a non-informing character. 

1 14. The method of claim 1 where said step of randomizing said selectable fields is 

2 performed after accepting a previously inputted user selection of said fields. 

1 15. An apparatus for secure entry of an access code for secure access to an electronic 

2 service, comprising: 

3 (a) a randomizing module for initieilizing a plurality of fields selectable by a user 

4 to input an access code; 

5 (b) an output device configured to display, to said user, said plurality of selectable 

6 fields; 

7 (c) an input device configured to accept, fi^om said user, a plurality of selections 

8 chosen from among said fields; and 

9 (d) an access control module configured to grant, to said user, access to an 

10 electronic service if said plurality of selections correctly corresponds to said 

1 1 access code. 
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1 1 6. The apparatus of claim 1 5 wherein said service includes an automatic teller machine 

2 transaction. 

1 17. The apparatus of claim 15 wherein said output device is configured as a graphical user 

2 interface. 

1 1 8. The apparatus of claim 1 7 wherein said graphical user interface is an Internet browser. 

1 19. The apparatus of claim 15 wherein said output device is an audio device. 

1 20, A computer-readable medium containing logic instructions for secure entry of an 

2 access code for access to an electronic service, said logic instructions comprising: 

3 (a) randomizing program code configured to initialize a plurality of fields 

4 selectable by a user to input an access code; 

5 (b) display program code configured to present, to said user, said plurality of 

6 selectable fields; 

7 (c) input program code configured to accept, from said user, a plurality of 

8 selections chosen from among said fields; and 

9 (d) access control program code configured to grant, to said user, access to a 

10 transaction protected by said code if said accepted plursdity of selections 

1 1 correctly correspond to said access code. 
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FIGURE 1 

Authenticate by Entering Your PIN 

Enter your pin by clicking on the right entry in each column of the 
"bingo card". 

Click "Show Pin" to see the whole PIN as entered so far. Click "Hide 
Pin" to hide it again. 

Click Submit when you are sure you have entered the right PIN. 




I Show PIN ] Hide PIN 



{ Submit 



© 1998 byArcot Systems, Inc. All rights reserved. 
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